MICROCOPY  RESOLUTION  TEST  CHART 

NAIIONAL  BUREAU  01  STANDARDS  196i  * 


J 


ODC  f"-E  COPY  ADA042915 


ON  THE  IMPORTANCE  OF  PROGRAM 
INTELLIGENCE  TO  ADVANCED  AUTOMATION 
IN  FLIGHT  OPERATIONS 


UNIVERSITY  OF  ILLINOIS  AT  URBANA-CHAMPAIGN 
COORDINATED  SCIENCE  LABORATORY 
URBANA,  ILLINOIS  61801 


FINAL  REPORT  FOR  PERIOD  7/23/73-5/22/76 


APPROVED  FOR  PUBLIC  RELEASE;  DISTRIBUTION  UNLIMITED. 


AIR  FORCE  AVIONICS  LABORATORY 
AIR  FORCE  WRIGHT  AERONAUTICAL  LABORATORIES 
AIR  FORCE  SYSTEMS  COMMAND 
WRIGHT-PATTERSON  AIR  FORCE  BASE, OHIO  45433 


X 


NOTICE 


When  aovernment  drawings,  specifications,  or  other  date  are  used  for  any  purpose 
connection  with  a definitely  related  Covermaent  procurement  operation, 
tne  United  States  Government  thereby  incurs  no  responsibility  nor  any  obligation 
whatsoever;  and  the  fact  that  the  government  may  have  formulated,  furnished,  or  in 
any  way  supplied  the  said  drawings,  specifications,  or  other  data,  is  not  to  be 
regarded  by  implication  or  otherwise  as  in  any  manner  licensing  the  holder  or  any 
other  person  or  corporation,  or  conveying  any  rights  or  permission  to  manufacture, 
use,  or  sell  any  patented  invention  that  may  in  any  way  be  related  thereto. 

This  report  has  been  reviewed  by  the  Information  Office  (01)  and  is  releasable  to 
the  National  Technical  Information  Service  (NTIS) . At  NTIS,  it  will  be  available 
to  the  general  public,  including  foreign  nations. 

This  technical  report  has  been  reviewed  and  is  approved  for  publication. 


i ■ 


Project  Engineer,  System  Concepts  Group 
AF  Avionics  Laboratory 


FOR  THE  COMMANDER 


7AMES  D.  EVERETT.  Colonel  USAF 
ihlef.  System  Avionics  Division 
AF  Avionics  Laboratory 


VMM 


MaMiiiUMMiiibi 


SeCUWITV  Cu  ASSIFICATION  OF  THIS  PAGE  fHTl^n  D«(»  Enlared) 


I 


EPORT  DOCUMENTATION  PAGE 


READ  INSTRUCTIONS 
BEFORE  COMPLETING  FORM 


2 GOVT  ACCESSION  NO.  3-  RECIPIENT'S  CATALOG  NUMBER 


4.  title  (mtd  Subt!  lit) 


100  COVERED 


THE  IMPORTANCE  OF  ^ROGRAM  lOT 
ADVANCED  AUTOMATION  IN  FLIGHT OP 


ELLIGENCE  TO 


OPERATIONS 


7.  AUTHORfM) 


Robert  T./chienj  Principal  Investigator 


t.  PCRrORMlHO  ORGANIZATION  NAME  AND  ADDRESS 

University  of  Illinois  at  Urbana^Champaign 
Coordinated  Science  Laboratory 
Urbana,  Illinois  61801 


//j\  AprgL  K77 


I 


MONITORING  AGENCY  NAME  A AOORESSf/f  d///«r#nr  from  ControWng  OWc»)  IS.  SECURITY  CLASS,  (oi  thim  fport) 


Unclassified 


15a.  DCCLASSIFICATION/DOWNGRAOING 
SCHEDULE 


19.  KEY  WORDS  (Contlnu0  on  rtvoroe  side  It  necessmry  and  identity  by  block  number) 


Program  Intelligence 
Computer-Aided  Decision  Making 
Degraded  Mode  Operation 
Failure  Recovery 


20.  ABSTRACT  fContlnue  on  ravar*e  side  It  neeessery  end  Identity  by  block  number) 

In  today's  sophisticated  aircraft,  much  emphasis  has  been  placed  on  the 
acquiring  of  and  the  displaying  to  the  pilot  an  ever  increasing  amount  of 
information  obtained  during  flight  missions.  This  has  resulted  in  increased 
workloads  for  the  pilot  which  force  him  to  evaluate  highly  complex  sets  of 
input  data,  to  decide  upon  courses  of  action,  and  then  to  implement  those 
actions  in  minimcil  times.  Such  a situation  is  seen  as  undesirable  because 
it  Increases  the  pilot's  chances  for  making  error  which  consequently  lowers 
Che  probability  of  mission  success. 


DD  1473 


EDITION  OF  I NOV  S3  sS  OBSCLf'E 


SECURITY  CLASSIFICATION  OF  THIS  PAGE  fWhdn  Dmtm  Entdnd) 


IICMWTV  CUAMIFICATION  OF  THIS  PAaCfm«n  Oala  Kntmd) 


20.  ABSTRACT  (continusd) 

In  order  Co  overcome  this  undesirable  situation,  it  is  argued  Chat  a special 
purpose  computer  system  can  provide  intelligently  evaluated  decisions  which 
would  reduce  Che  pilot's  workload  and,  therefore,  his  error  rate.  Supported 
by  such  a computer  system,  the  pilot  can  then  function  as  a system  manager 
rather  than  a system  component.  Up  until  now,  automated  systems  developed 
to  solve  this  problem  do  not  adequately  handle  critical  circumstances  during 
times  of  high  workload  idien  the  attention  of  the  pilot  must  be  given  to 
numerous  tasks.  Such  conventional  automation  systems  tend  to  present  even 
larger  amounts  of  data  to  the  pilot  and  to  require  him  to  key  in  requests 
for  specific  information.  Whereas  they  tend  to  lower  workloads  during  such 
non-critlcal  times  as  %ihen  cruising,  they  tend  to  Increase  workloads  during 
such  critical  times  as  close  combat.  For  example,  while  a scanning  motion 
on  a visual  display  would  normally  give  the  pilot  a general  idea  of  the 
state  of  his  plane,  a similar  scan  with  time-shared  display  would  normally 
require  him  to  key  in  several  requests  by  hand,  a task  more  difficult  and 
timm-consuming  for  him  and  which  consequently  adds  to  his  workload. 

In  order  to  continuously  provide  low  workloads  and,  hence,  more  safety  for 
the  pilot,  his  crew  and  the  aircraft  itself,  the  Coordinated  Science 
Laboratory  has  developed  a system  which  relieves  the  pilot  of  having  .o 
deal  with  many  situations  which  would  detract  from  his  overall  mission 
goals.  This  intelligent,  computer-aided  decision  making  system  (CAm) 
works  cooperatively  with  the  pilot  in  order  to  ensure  the  safety  of  the 
aircraft  and  its  crew,  thereby  allowing  the  accomplishment  of  successful 
missions. 


PREFACE 


This  final  report  describes  research  performed  conjointly  by 
the  Coordinated  Science  Laboratory  and  the  Avionics  Research 


Laboratory  at  the  University  of  Illinois.  The  research  effort 


investigated  and  demonstrated  applications  of  programmed 
intelligence  in  flight  operations.  The  work  was  performed  for 
the  System  Avionics  Division  of  the  Air  Force  Avionics 
Laboratory,  Wright-Patterson  AFB,  Ohio  on  Contract  Number 
F33615-73-C-1238  during  the  neriod  July  ?3 , 1973  to  May  22  1976. 


ABSTRACT 


In  today's  sophisticated  aircraft,  much  emohasis  has  been 
placed  on  the  acquiring  of  and  the  displaying  to  the  pilot  an 
ever  increasing  amount  of  information  obtained  during  flight 
missions.  This  has  resulted  in  increased  workloads  for  the  pilot 
which  force  him  to  evaluate  highly  complex  sets  of  input  data,  to 
decide  upon  courses  of  action,  and  then  to  implement  those 
actions  in  minimal  times.  Such  a situation  is  seen  as 
undesirable  because  it  increases  the  pilot's  chances  for  making 
errors  which  consequently  lowers  the  probability  of  mission 
success.  ^ 

In  order  to  overcome  this  undesirable  situation,  it  is 
argued  that  a special  purpose  computer  system  can  provide 
intelligently  evaluated  decisions  which  would  reduce  the  pilot’s 
workload  and,  therefore,  his  error  rate.  Supported  by  such  a 
computer  system,  the  pilot  can  then  function  as  a system  manager 
racher  than  as  a system  component.  Up  until  now,  automated 
systems  developed  to  solve  this  problem  do  not  adequately  handle 
critical  circumstances  during  times  of  high  workload  when  the 
attention  of  the  pilot  must  be  given  to  numerous  tasks.  Such 
conventional  automation  systems  tend  to  present  even  larger 
amounts  of  data  to  the  pilot  and  to  require  him  to  key  in 
requests  for  specific  information.  Whereas  they  tend  to  lower 
workloads  during  such  non-critical  times  as  when  cruising,  they 
tend  to  increase  workloads  during  such  critical  times  as  close 
combat.  For  example,  while  a scanning  motion  on  a visual  display 
would  normally  give  the  pilot  a general  idea  of  the  state  of  his 
plane,  a similar  scan  with  time-shared  display  would  normally 
require  him  to  key  in  several  requests  by  hand,  a task  more 
difficult  and  time-consuming  for  him  and  which  consequently  adds 
.to  his  workload. 


In  order  to  continuously  provide  low  workloads  and,  hence, 
more  safety  for  the  pilot,  his  crew  and  the  aircraft  itself,  the 
Coordinated  Science  Laboratory  has  developed  a system  which 
relieves  the  pilot  of  having  to  deal  with  many  situations  which 
would  detract  from  his  overall  mission  goals.  This  intelligent, 
computer-aided  decision  making  system  (CADM)  works  cooperatively 
with  the  pilot  in  order  to  ensure  the  safety  of  the  aircraft  and 
its  crew,  thereby  allowing  the  accomplishment  of  successful 
missions. 


TABLE  OF  CONTENTS 


SECTION  PAGE 

I INTRODUCTION  1 

1 . 1 The  CADM  System  2 

1.1.1  System  Goals  for  CADM  3 

1.1. 1.1  CADM  Failure  Handling  3 

1.1. 1.2  The  Pilot-CADM  Relationship  

1.1. 1.3  The  Generality  of  CADM  4- 

1.1.2  CADM  System  Elements  5 

1.2  Pilot-CADM  Interaction  7 

1.2.1  The  Master  Monitor  Display  7 

1.2. 1.1  The  Display  of  Status  Information  8 

1.2. 1.2  The  Display  of  CADM  Activities  10 

1.2.2  Pilot-to-CADM  Communication  10 

II  DEVELOPMENT  OF  THE  CADM  SYSTEM  14 

2.1  The  CADM  Problem  Domain  14 

2.2  The  CADM  System  16 

2.2.1  The  Simulated  Avionics  System  16 

2. 2. 1.1  The  Aircraft  Model  16 

2. 2. 1.2  The  Aircraft  Subsystem  Model  17 

2. 2. 1.2.1  The  Fuel/Engine  System  17 

2.2. 1.2.2  The  Electrical  System  18 

2. 2. 1.2. 3 The  Hydraulic  System  18 

2.2.2  The  CADM  Shared  Data  Base  18 

2.2.3  Hardware  I/O  for  the  Simulator  19 

2.2.4  Programmed  Intelligence  for  CADM  20 

2.2.4. 1 Control  Structure  Considerations  for  CADM  20 

2. 2. 4. 2 Pattern  Directed  Invocation  of  Procedures  21 

2. 2. 4. 3 The  DEMON  System  22 

2. 2. 4. 4 CADM  Generated  Procedures  23 

2. 2. 4. 5 The  Pilot-CADM  Interface  25 

2. 2. 4. 5.1  The  Displays  and  Controls  25 

2. 2. 4. 5. 2 CADM  Task  Allocation  and  Conflict 

Resolution  25 

2.3  Advanced  Features  of  CADM  26 

2.3.1  Generalized  CADM  Correction  Procedures  26 

2.3.2  Histories  and  Error  Recovery  28 

2.3.3  Multiple  Failure  Handling  29 


TABLE  OF  CONTENTS  (continued) 


SECTION 


THE  SIGMIFANCE  OF  CABM  - AN  OVERVIEW  30 

3.1  The  Generality  of  CADM  31 

3.1.1  CADM  Knowledge  Structure  32 

3.1.2  Hierarchies  of  System  Component  Classes  32 

3.1.3  System  Parametric  Definitions  of  Failures  ....  35 

3.2  The  Adaptability  of  CADM  36 

3.2.1  CADM's  Role  as  an  Operator  36 

3.2.2  Adaptability  Demonstrated  by  Program  Response  37 

3.2.2. 1 Responses  to  Failures  38 

3. 2. 2. 2 Responses  to  Pilot  Intervention  38 

3.2.2. 3 Responses  to  Correction  Procedure  Failures  39 


REFERENCES  40 


LIST  OF  ILLUSTRATIONS 


FIGURE  TITLE  PAGE 

1 The  CADM  Software  System  6 

2 The  Master  Monitor  Display  9 

3 A Hierarchy  of  Procedures  Involving  an 

Electrical  Instrument  3^ 


LIST  OF  TABLES 


TABLE  TITLE  PAGE 

1 CADM  Messages  11 


lx 


SECTION  I 


INTRODUCTION 

In  today's  sophisticated  aircraft,  much  emphasis  has  been 
placed  on  the  acquiring?  of  and  the  displaying  to  the  pilot  an 
ever  increasing  amount  of  information  obtained  during  flight 
missions.  This  has  resulted  in  increased  workloads  for  the  pilot 
which  force  him  to  evaluate  highly  complex  sets  of  input  data,  to 
decide  upon  courses  of  action,  and  then  to  implement  those 
actions  in  minimal  times.  Such  a situation  is  seen  as 

undesirable  because  it  increases  the  pilot's  chances  for  making 
errors  which  consequently  lowers  the  probability  of  mission 
success . 

In  order  to  overcome  this  undesirable  situation,  it  is 
argued  that  a special  purpose  computer  system  can  provide 
intelligently  evaluated  decisions  which  would  reduce  the  pilot's 
workload  and,  therefore,  his  error  rate.  Supported  by  such  a 
computer  system,  the  pilot  can  then  function  as  a system  manager 
rather  than  as  a system  component.  Up  until  now,  automated 
systems  developed  to  solve  this  problem  do  not  adequately  handle 
critical  circumstances  during  times  of  high  workload  when  the 

attention  of  the  pilot  must  be  given  to  numerous  tasks.  Such 
conventional  autom.ation  systems  tend  to  present  even  larger 
amounts  of  data  to  the  pilot  and  to  require  him  to  key  in 
requests  for  specific  information.  Whereas  they  tend  to  lower 

workloads  during  such  non-critical  times  as  when  cruising,  they 
tend  to  increase  workloads  during  such  critical  times  as  close 


I 


combat 

, For  example 

, wh 

i le  a 

scs 

inning  motion 

on  a visual  display 

would 

normally  give 

the 

pilot  a 

general 

idea 

of  the  state  of  his 

plane , 

a similar  scan 

with 

time-shared 

dis 

play  would  normally 

require  him  to  key 

in 

seve 

ral 

request: 

s by 

hand,  a task  more 

diff ic 

ult  and  time-consuming 

for 

him  and 

which  consequently  adds 

to  his 

workload. 

In  order  to  continuously  provide  low  workloads  and,  hen 


more 

safety 

for  the 

pilot,  his 

crew  ai 

n.d  the  air 

■craft  itself. 

Coord 

inated 

Science 

Laboratory 

has 

developed 

a system  wh 

relie 

ves  the 

pilot 

of  having  to 

deal 

with  many 

situations  wh 

would 

detract  from  his  overall  mission 

goals. 

This  intellige 

computer-aided  decision  making  system  (CADM)  works  cooperativ 
with  the  pilot  in  order  to  ensure  the  safety  of  the  aircraft 
its  crew,  thereby  allowing  the  accomplishment  of  success 
missions . 


ce, 
the 
ich 
ich 
nt , 
ely 
and 
ful 


1 • 1 Th^  CADM  System 

The  computer-aided  decision  making  system  (CADM)  was 
designed  to  handle  a broad  class  of  complex  problems  in  a real 
world  problem  solving  domain.  The  CADM  system  which  was 
implemented  operates  to  correct  and  compensate  for  midflight 
failures  of  aircraft  components  that  require  degraded  mode 
operation.  These  failures  may  occur  in  the  fuel  system  and  in 
the  electrical  system.  In  doing  so,  the  system  constructs 
correction  and  monitoring  procedures  which  specifically  fit  the 
airplane  configuration,  the  component  allocation  and  the  failure. 

2 


i 


These  Reneral  correction  procedures  allow  the  system  to  be 
essentially  airplane  indeoendent.  However,  in  order  to 
demonstrate  these  concepts  the  system  implemented  at  the 
Coordinated  Science  Laboratory  corrects  and  compensates  for 
failures  in  the  fuel  and  electrical  systems  of  a twin  engine  jet 
aircraft.  In  addition,  it  allows  real  time  interaction  with  the 
airplane  models  and  pilot. 


1.1.1  System  Goals  f or  CADM 

Within  this  domain,  certain  goals  of  performance  were 
established.  These  goals  are  1)  to  instill  CADM  with  the  ability 
to  handle  multiple  failures,  2)  to  establish  a good  working 
relationship  between  CADM  and  the  pilot,  and  3)  to  make  the 
system  as  (general  as  possible. 


1 . 1 . 1 . 1 CADM  Failure  Handling 

The  handling  of  failures  involves  not  only  the  cases  in 
which  failures  occur  singly,  but  also  those  cases  in  which 
multiple  failures  occur  simultaneously,  as  well  as  those  cases  in 
which  failures  occur  while  CADM  is  monitoring  the  progress  of 
on-going  correction  procedures.  In  order  to  accomplish  this, 
CADM  oversees  the  allocation  of  aircraft  components  by  means  of  a 
variable  priority  structure  which  relates  the  relative  importance 
of  correcting  a class  of  failures  to  the  mission  profile  and 


available  equipment. 


i 


f 

I 

i 

I; 


} 

I, 

r: 

f 


I 


1 . 1 . 1 . 2 The  Pi lot-CADM  Relationship 

CADM's  overriding  concern  is  that  the  oilot  must  be  able  tc 
assume  full  control  over  the  airplane's  capabilities  in  order  to 
successfully  carry  out  the  mission.  For  this  reason,  CADM  must 
be  careful  not  to  undo  pilot  actions,  and  must,  therefore, 
continuously  monitor  the  pilot's  actions.  In  order  to  keep  the 
pilot  informed  of  what  CADM  is  doing  and  is  trying  to  accomplish, 
CADM  provides  the  oilot  with  information  concerning  CADM 
detections,  corrections,  and  perceptions  of  failures  within  the 
aircraft.  However,  the  CADM  system  attempts  to  keen  from 
burdening,  the  pilot  with  excessive  or  extraneous  information. 
The  information  is  available  if  the  pilot  wishes  it,  but  it  is 
not  forced  upon  him. 


1 . 1 . 1 . 3 The  Generality  of  CADM 

In  attempting  to  maintain  generality  for  the  CADM  system,  : j 

the  techniques  used  for  correcting  failures  are  not  directed  | 

, f. 

toward  a fixed  class  of  errors  on  a specific  airplane  type.  ,!■ 

L' 

Accordingly,  the  system  developed  introduces  generality  into  two  ^ 

areas.  First,  the  airplane  model  is  treated  as  factual  data  ' 

rather  than  as  exolicit  coding  into  the  program.  Second,  the 
correction  procedures  are  generalized  to  model  component  and  ■ 

instrument  types  rather  than  to  specific  switches  or  dials,  and  j 

■( 

1 

are  implem.ented  with  knowledge  of  how  these  component  types  ^ 

operate  and  affect  the  operation  of  the  airplane. 

'I 

I 

f, 

J 


1.1.2  CADM  System  Elements 


The  overall  system  is  depicted  in  Fi>?ure  1.  As  new  data  is 
received  from  the  common  data  base,  the  information  is 
automatically  processed  hy  special  purpose  procedures  (called 
DEMONS) . 


The  DEMON  system  allows  effective  monitoring  of  on-going 
correction  proce"^"|■es . Using  the  DEMON  system,  the  pilot's 
actions  can  he  monitored  in  order  to  allow  CADM  to  operate 
without  interfering  with  the  pilot's  actions.  DEMONS  also  allow 
the  re-evaluation  of  on-going  correction  procedures  in  order  to 
upgrade  them  to  more  efficient  ones,  or  in  the  case  of  failure, 
to  use  system  maintained  histories  to  construct  alternate 
correction  procedures  in  order  to  perform,  error  recovery. 


A check  is  made  to  determine  if  failures  exist,  and  if  so, 
whether  they  are  already  being  corrected  by  the  pilot  or  CADM 
actions.  The  failures  to  be  corrected  are  ordered,  and  the 
system  then  attempts  to  construct  a correction  procedure  (and  its 
corresponding  monitoring  procedure).  If  successful,  actions  are 
taken  and  the  success  or  failure  of  the  procedure  is  monitored  as 
new  information  is  received.  During  all  of  these  steps, 
information  about  CADM's  actions  Is  relayed  to  the  pilot. 


' I 


I i 


[ 

i 

f. 


^ ^ Pilot-CADM  Interaction 

i 

The  effectiveness  of  a CADM  in  performinf?  its  functions,  and  i 

consequently  the  viability  of  a mission  itself,  depends  on  the 
effectiveness  of  the  interactions  between  CADM  and  the  pilot.  By 
sensing  component  malfunctions  and  failures  of  aircraft 

components,  and  subsequently  effecting  corrections  or 
compensations  for  these  malfunctions,  CADM  in  fact  relieves  the 
pilot  from  having  to  make  these  corrections  himself.  This  is  a 
definite  asset  to  the  pilot  engaged  in  combat  or  in  other 
circumstances  which  demand  his  attention.  On  the  other  hand, 

CADM  organizes  information  about  its  findings  and  its  actions 
which  it  then  can  relay  to  the  pilot  on  a visual  display.  The 
pilot  can  investigate  further  by  requesting  as  much  information 
as  he  desires.  Any  actions  the  pilot  may  take,  however,  cannot 
be  countered  by  actions  from  CADM. 

1.2.1  The  Master  Monitor  Display 

Information  from  CADM  is  displayed  to  the  pilot  on  the 
Master  Monitor  Display  (MMD).  The  information  displayed  is  of 
two  types,  namely,  general  sensory  and  control  status 

information,  and  information  about  CADM's  activities. 


7 


1.2. 1.1  The  Display  of  Status  Information 


Because  the  amount  of  information  available  from  the 
sensors,  the  controls,  and  CADM  is  very  large,  the  information 
has  been  hierarchically  organized  for  convenient  display  on  the 
MMD  [1,2].  Figure  2 shows  a display  on  the  MMD.  The  top 
two-thirds  of  the  display  is  a page  of  data  from  the  hierarchy. 
The  pilot  has  a choice  of  six  top  level  pages  which  display 
information  about  either  the  fuel,  the  electrical,  the  hydraulic 
or  the  engine  subsystems,  the  flight  olan  or  the  failure  monitor. 
Most  of  these  top  level  data  pages  branch  to  other  pages  with 
more  specific  data.  For  example,  the  hydraulic  data  page  has 
three  branches  to  pages  which  display  the  pumo  system,  the 
landing  gear  status,  and  the  flap  and  wing  sweeps.  Data  elements 
are  intensified  when  they  change,  and  thus  attract  the  pilot's 
attention.  After  a short  time  with  no  change,  the  intensity  is 
lowered . 

The  pilot  uses  a touchtone-like  keyboard  to  choose  data 
pages  and  branches.  With  so  few  keys,  it  is  possible  to  learn 
how  to  perform  without  actually  looking  at  the  keyboard. 
Keyboard  entries  preceded  by  a control  character  select  options 
on  the  multi-function  display  [3]  which  occupies  the  lower 
one-third  of  the  MMD.  The  function  currently  in  use  is 
intensified  for  easy  reference  by  the  pilot.  The  multi-function 
display  allows  the  pilot  to  put  CADM  into  any  of  three  modes: 
off,  monitoring  only,  and  on.  In  this  way,  he  can  easily 
override  the  CADM  system. 


8 


t 


t 

i 


i 

I 


FUEL  TANKS 
FRONT 


9 

FUEL  QUANTITY 

1000 

8 

DRAIN  PUMP 

OFF 

REAR 

7 

FUEL  QUANTITY 

1000 

6 

DRAIN  PUMP 

OFF 

5 FUEL  PUMPS 

VALVES 

4 

front  to  LEFT 

OPEN  1 

3 

FRONT  TO  RIGHT 

OPEN  1 

2 

REAR  TO  lEFT 

OPEN 

1 

REAR  TO  RIGHT 

OPEN  1 

i 

( 

7 

ENGINES 

8 FLT  PIE 

9 FAILURE  MON.  j 

4 

HYDRAULIC 

5 EIECTRICAL 

6 FUEL  \ 

1 

CADM  OFF 

2 CADM  DETECTING 

3 CADM  ON  1 

Figure  2.  The  Master  Monitor  Display 


I 

il 


9 


T.2.1.P  The  Display  of  CADM  Activities 


On  the  right  side  of  each  data  page,  status  information 

indicates  whether  or  not  CADM  has  operated  a particular  control 
recently,  and  also  indicates  whenever  a particular  subsystem  or 
component  has  failed.  Messages  concerning  failures,  along  with 
their  times  of  occurrence  are  displayed  to  the  pilot  at  the 

bottom  of  the  MMD.  Table  1 summ.arizes  the  messages  which  CADM 
can  send  to  the  pilot.  The  pilot  can  access  the  corresponding 

data  pages  if  he  wishes  more  information  concerning  CADM's 

actions . 


1.2.2  Pi lot-to-CADM  Communication 

CADM  must  perform  its  functions  subject  to  the  actions  of 
the  pilot.  In  order  to  operate  properly,  CADM  must  be  made  aware 
that  the  pilot  just  closed  a fuel  valve,  for  instance,  if  it  is 
to  not  undo  that  action  while  it  attempts  to  correct,  say,  a fuel 
supply  problem.  In  order  to  monitor  the  pilot’s  actions,  a DEMON 
system  is  used  by  CADM.  This  DEMON  system  maintains  a record  of 
what  equipment  the  pilot  is  currently  using  and  when  he  last  used 
it.  In  this  manner,  CADM  is  able  to  determine  whether  the  pilot 
is  using  equipment  which  it  has  allocated  for  its  own  correction 
procedures.  If  the  pilot  is  using  such  eauipment,  CADM  can 
suspend  the  violated  correction  procedure  and  attempt  to 
construct  one  which  does  not  interfere  with  the  pilot's  actions. 


Table  I.  CAOM  Messages. 


Although  no  attempt  was  made  to  endow  CADM  with  the  ability 
to  determine  the  pilot's  intentions,  a preliminary  study  was  made 
to  determine  whether  it  is  feasible  to  make  such  an  attempt  in 
future  computer  aided  decision  making  systems.  This  study  was 
based  on  the  following  reasoning. 

When  flying  an  aircraft,  a pilot  has  both  control  and 
monitoring  tasks.  When  one  of  his  monitoring  tasks  requires  more 
attention  than  usual,  it  is  expected  that  the  pilot's  control 
performance  will  be  affected.  Therefore,  by  inspecting  the 
pilot's  control  performance,  it  should  be  possible  to  determine 
if  his  attention  is  directed  to  one  of  his  monitoring  tasks. 
With  this  information,  CADM  could  possibly  determine  which 
monitoring  task  has  attracted  the  pilot's  attention,  and  then 
CADM  can  perform  its  actions  without  conflicting  with  the  pilot's 
actions.  The  feasibility  of  such  an  approach  could  allow  CADM  to 
infer  what  the  pilot  is  doing  without  explicitly  asking  him. 

The  aircraft  situation  was  abstracted  to  include  only  a 
pursuit  tracking  task  with  randomly  occurring  arithmetic  side 
tasks  [^,5].  Subjects  were  instructed  to  minimize  trackine  error 
while  solving.  the  arithmetic  problems  without  making 
multiplication  errors. 

The  displayed  tracking  error  and  joystick  outputs  were 
monitored.  A fading  memory  system  identlf Ication  algorithm  [6,7] 
was  employed  to  find  the  parameters  of  an  N-th  order  sampled-data 
linear  model  of  the  pilot's  tracking  behavior.  Through 
discriminant  analysis  [8]  on  these  parameters,  pure  tracking  and 


I 


tracking  plus  mental  arithmetic  modes  were  distinguished.  It  was 
then  concluded  that  CADM  could  he  profitably  augmented  by  such  a 
method  for  detectinp,  the  shifts  of  attention  in  a real  time 
environment. 


1- 


SECTION  II 

DEVELOPMENT  OF  THE  CADM  SYSTEM 

It  being  the  goal  of  this  research  to  construct  a prototype 
system  which  demonstrates  the  feasibility  of  comouter  aided 
decision  making,  during  inflight  operations,  the  CADM  system 
evolved  through  three  phases  of  development.  During  the  first 
phase,  an  analysis  of  flight  operations  was  undertaken  and  tasks 
which  the  pilot  oerformed  were  identified  in  order  to  define  the 
functions  of  CADM  [9],  During  the  second  phase,  CADM  was 
implemented  to  perform  several  simple  tasks  during  degraded  mode 
operation  of  a simulated  aircraft  [10],  During  the  third  phase, 
the  task  domain  for  CADM  was  enlarged  to  include  the  correction 
of  complex  failures  brought  about  by  the  interdependence  of 
various  subsystems  [11],  The  final  demonstration  of  the  CADM 
showed  its  usefulness  in  degraded  mode  operation  of  aircraft 
[12],  In  addition,  the  CADM  system  developed  was  demonstrated  to 
be  general  with  respect  to  aircraft  types  and  extensiblty  of  its 
environment . 

2 . 1 Th£  CADM  Problem  Domain 

In  defining  the  problem  domain  for  CADM,  consideration  was 
given  to  the  tasks  which  the  pilot  must  perform  while  in  flight, 
in  addition  to  the  state  of  the  art  technologies  for  automating 
these  tasks.  In  general,  the  pilot  must  control  the  aircraft  and 
many  of  its  subsystems;  he  must  monitor  the  status  of  the 


14 


controls  and  the  various  subsystems;  and  he  must  attempt  to 
correct  failures  or  compensate  for  failures  which  result  from 


malfunctioning  components.  Systems  like  the  integrated 
information  presentation  and  control  system  (IIPACS),  developed 
at  Boeing,  advanced  the  concept  that  the  pilot  should  be  a system 
manager  with  the  responsibi lity  to  make  high-order  decisions. 
IIPACS,  however,  did  not  succeed  in  decreasing  the  pilot's 
overall  workload  during  critical  times,  although  it  did  decrease 
his  workload  at  non-critical  times. 

The  pilot  was  presented  with  sensory  information,  failure 
detection  information,  fuel  level  status,  etc.,  but  he  still  had 
to  perform  most  of  the  corrections  himself. 

Of  the  pilot’s  many  tasks,  most  can  be  performed  by  brute 
force,  number-crunching  methods.  However,  tasks  such  as  failure 
detection,  prediction  and  correction,  and  degraded  mode  operation 
require  intelligent  assessment.  Heuristic  methods  developed  in 
the  area  of  artificial  intelligence  can  be  applied  in  order  to 
augment  the  pilot's  capabilities  with  computer  aided  decision 
making.  In  addition,  a form  of  intelligent  intercourse  between 
the  pilot  and  a CADM  system  can  enable  CADM  to  relieve  the  pilot 
of  an  excessive  workload. 


15 


A 


\ 

\ 

2 . 2 The  CADM  Sy steTi 

In  this  liRht,  CADM  was  presented  as  a system  which  performs 
failure  detection  and  correction  diirinp,  degraded  mode  operation, 
and  which  works  cooperatively  with  the  pilot  to  maintain  the 
safety  of  the  aircraft  in  order  to  complete  successful  missions. 
To  this  end  CADM  was  designed  to  seek  alternatiye  correction 
‘ procedures  when  its  proscribed  actions  are  seen  to  interfere  with 

the  pilot's  actions. 

I 

f 2.2.1  The  Simulated  Avionics  System 

I 

' In  order  to  create  a realistic  enyironment  for  the 

; deyelopment  and  testing  of  computer  aided  decision  making  system 

I software,  an  integrated  software  model  of  the  functions  of  an 

aircraft  and  its  operating  environment  was  written. 

1' 

[ 2 . 2 . 1 . 1 The  Aircraft  Model 

The  aircraft  simulated  is  a single  seat,  twin  jet, 

variable-geometry,  fighter  olane.  The  engines  develop  15,000 
, pounds  of  thrust  each,  and  the  wings  have  five  sweep  settings. 

The  flaps  located  on  the  trailing  edges  of  the  wings  can  be 

extended  for  wing  sweep  angles  of  35  degrees  or  less.  The 

landing  gear  have  two  positions,  namely,  fully  extended  and  fully 
retracted . 


L 


W 


[ 


I 

s 


i 


i 


k 

r 


! 


The  aerodynamics  simulation  programs  simulate  all  aircraft 
motions  except  yaw  and  side  force.  Also,  lateral  motion  is 
restricted  to  roll  only.  Inputs  to  the  aerodynamic  simulation 
come  from  the  control  stick,  the  throttles  and  the  subsystem 
simulation . 


2.2.1.?  The  Aircraft  Subsystem  Model 

The  aircraft  subsystem  model  (AIRSYS)  is  the  primary  work 
area  for  the  CADm  system.  Through  it  the  CADM  can  investigate 
and  act  on  its  environment.  AIRSYS  provides  CADM  with  numerical 
data  on  various  systems  and  components  of  the  aircraft,  and  it 
allows  the  CADM  alternatives  for  the  correcting  of  a failure  when 
a system  or  a subsystem  malfunctions.  The  aircraft  subsystems 
modeled  in  AIRSYS  are  the  fuel/engine  system,  the  electrical 
system  and  the  hydraulic  system. 


2. 2. 1.2.1  The  Fuel/Engine  System 

The  fuel/engine  system  is  composed  of  two  engines,  two  fuel 
tanks,  two  drain  pumps,  one  intertank  pump,  two  engine  driven 
fuel  pumps,  two  electric  fuel  pumps,  and  four  valves.  The  valve 
plumbing  network  allows  one  fuel  tank  to  feed  either  or  both 
engines.  In  addition,  the  svstem  produces  through  the  electrical 
system,  sensor  outputs  and  failure  characteristics  for  the  CADM 
to  evaluate. 


I 

a 


I 

I 


I 


I 


17 


t 


2 . 2 . 1 . 2 . 2 Tlie  Electrical  System 

The  electrical  system  is  composed  of  two  engine  driven 
generators,  two  fuel  pumps,  two  hydraulic  pumps,  48  circuit 
breakers,  all  sensors,  and  a]l  valve  actuators.  Failures  in  this 
system  are  caused  by  the  incorrect  opening  of  the  individual 
circuit  breakers  for  the  AIRSYS  components. 


(■ 


2 . 2 . 1 . 2 . 3 The  Hydraulic  System 

The  hydraulic  system  is  composed  of  one  hydraulic  fluid 
reservoir,  two  engine  driven  hydraulic  pumps,  two  electrically 
driven  hydraulic  numps,  one  accumulator  oressure  tank,  eight 
valves,  and  the  mechanisms  for  activating  the  wing  sweep,  the 
landing  gear,  and  the  flaps.  Failures  of  components  in  this 
system  can  cause  the  landing  gear,  the  flaps,  and  the  wing  sweep 
to  be  ,iammed  in  their  current  states.  Also,  the  wing  sweep  can 
be  jammed  because  of  reduced  hydraulic  pressure  in  the 
accumulator  oressure  tank.  Even  with  reduced  pressure,  however, 
the  landing  gear  and  flaos  can  still  be  onerated  hydraulically. 
Total  system  failure  can  result  from  the  loss  of  the  pumps,  the 
loss  of  hydraulic  pressure  or  the  jamming  of  the  valves. 


2.2.2  The  CADV  .Shared  Data  P.ase 

The  pilot,  AIRSYS,  and  CADM  all  interact  through  a shared 
data  base  (SDP).  In  addition,  a Gremlin  routine  can  set  failures 
in  AIRSYS  by  operating  on  the  SDB.  All  three  AIRSYS  systems  are 


3 


18 


heavily  interconnected.  Failures  in  one  system  could  cause 
failures  in  another,  thereby  increasing  the  complexity  of  any 
correction  scheme.  Cooperation  between  the  systems  and  the 
duplication  of  efforts  offers  the  CADM  and  the  pilot  a number  of 
alternatives  when  responding  to  a component  failure,  hence, 
makinp  the  possibility  of  total  system  failure  more  remote,  and 
also  increasing  the  complexity  of  the  solution  task. 


2.2.3  Hardware  I /O  f or  the  Simulator 

The  hardware  of  the  simulator  includes  a joystick,  two 
throttles,  a touchtone  keyboard  to  input  and  request  data,  a 
monitor  display  to  display  present  AIRSYS  states,  and  a vertical 
situation  display  (VSD). 

The  pilot  utilizes  the  touchtone  keyboard  to  input  changes 
and  corrections  into  AIRSYS.  Through  the  keyboard,  the  pilot  can 
change  the  wing  sweep  angle,  the  flap  angle,  and  the  gear  state. 
He  can  also  investigate  or  change  the  current  state  of  any  AIRSYS 
component  and  can  correct  a failure  through  the  use  of  the 
appropriate  code  input  to  the  keyboard. 

The  VSD  displays  aircraft  pitch  and  bank  angle  on  an 
artificial  horizon.  Heading  is  displayed  on  a compass. 
Altitude,  airspeed,  rate  of  climb,  and  command  information  are 
displayed  on  the  VSD  bv  means  of  bar  graphs,  alphanumeric 
symbols,  and  a moving  aircraft  symbol. 


2.2.4  Programmed  Intelligence  for  CADM 

In  order  to  achieve  the  capabilities  stated  earlier  for 
CADM,  artificial  intelligence  techniques  were  applied.  Among  the 
techniques  used  are  pattern  directed  invocation  of  procedures,  a 
DEMON  system  and  CADM-generated  special  purnose  procedures.  The 
use  of  these  techniques  has  allowed  the  implementation  of  a 
system  with  a flexible  control  structure  in  which  new  types  of 
failure,  detection  and  correction  procedures  can  be  easily  added. 


2.2.4. 1 Control  Structure  Considerations  for  CADM 

In  order  to  allow  CADM  to  operate  in  varying  environments, 
the  control  structure  was  implemented  in  a manner  which  allows 
easy  introduction  of  new  failure  types  and  corrective  procedures. 
This  flexibility  allows  CADM  to  alter  its  own  correction 
procedures  and  failure  detection  criteria.  As  new  types  of 
failures  such  as  jams  are  determined,  corrective  procedures 
dependent  on  the  malfunctioning  apparatus  could  be  altered  or 
removed . 


Among  the  performance  criteria  which  influenced  the  design 
of  the  control  structure  were: 


1.  The  most  important  failures  are  to  be  attended  to 
first.  This  necessitated  the  inclusion  of  a 
priority  structure. 

2.  Without  interfering  with  1,  an  attempt  should  be 
made  to  correct  errors  in  such  a manner  that 
internal  conflict  is  minimized.  When  correcting 
two  simultaneous  failures,  an  attempt  should  be 
made  to  apply  procedures  which  use  different 
apparatus.  This  implies  the  need  for  a protection 


20 


'TFT?' 


mechanism  to  indicate  and  reserve  equipment  needs 
for  the  corrections. 

3.  The  corrections  generated  by  CADM  should  be  methods 
which  involve  the  least  conflict  with  any  pilot 
action.  CADM  tries  to  complement  the  pilot's 
actions  rather  than  to  compete  with  him  for  use  of 
the  available  eauipment. 

As  a consequence  of  3,  CADM  must  be  able  to 
recognize  pilot  actions  and  determine  how  these 
actions  affect  failures  which  have  been  corrected 
and  are  being  monitored,  as  well  as  those  that  are 
presently  being  corrected. 


2 . 2 . 4 . P Pattern  Directed  I nvocation  of  Procedures 

It  is  not  practical  to  build  a decision  tree  that 
incorporates  all  the  possible  combinations  for  all  the  failures. 
Operating  with  a more  complicated  airplane  model  would 
necessitate  a great  deal  of  rewriting  to  include  new  sensor 
:ombinations.  Much  of  the  flexibility  is  lost  if  the  detection 
apparatus  is  in  the  form  of  a big  flow  chart.  In  order  to 
overcome  this,  CAOM's  detection  procedures  are  pattern-invoked. 
Associated  with  each  procedure  is  a pattern,  or  template,  which 
is  a list  composed  of  constants  and  variables.  This  means  that  a 
program  can  be  called  not  onlv  by  name,  but  also  whenever  a datum 
element  which  matches  the  program's  pattern  is  entered  into  the 
internal  CADM  database.  A datum  element  representing  a sensory 
input  can  directly  invoke  a program.  Such  a program  is  referred 
to  as  a DETECTION  DEMON.  Recause  of  this  feature,  sensor  reading 
data  do  not  have  to  be  checked  needlessly.  Furthermore,  such 
pattern-invoked  programs  are  easy  to  add  into  the  program  base 


21 


without  disturbing  the  calling  sequences  and  logic  branches  that 
already  exist. 


2.2.H.3  The  DEMON  System 

DEMONS  are  employed  to  aid  CADM  with  its  failure  detection 
and  correction  procedures.  As  mentioned  above,  a DETECTION  DEMON 
can  be  evoked  by  the  matching  of  a program  pattern  with  a datum 
element  entered  into  the  CADM  database.  The  same  type  of 
DETECTION  DEMON  structure  is  used  to  observe  any  pilot  changes  in 
valve  or  pump  settings.  If  changes  are  found  to  have  occurred, 
CADM  can  assess  their  relevance  to  failures  being  corrected  and 
take  appropriate  action,  such  as  suspending  the  correction. 

When  a failure  is  being  corrected,  CADM  does  not  assume 
that,  just  because  certain  switch  settings  have  been  altered,  the 
error  no  longer  exists.  Rather  CADM  waits  to  ensure  that  the 
expected  response  to  the  action  occurs.  However,  in  order  to 
avoid  remaining  idle  during  this  time,  CADM  monitoring  procedures 
are  constructed  for  each  correction  of  a failure  at  the  time  of 
correction.  A SUCCESS  PREDICATE  tests  for  a successful 
completion  of  the  correction  and  a SUCCESS  PROGRAM  is  executed 
when  the  corrector  succeeds.  Likewise,  a FAIL  PROGRAM  is 
executed  when  the  correction  does  not  succeed. 

These  detection  procedures  are  invoked  after  a certain 
amount  of  time  has  elapsed.  New  values  of  time  invoke  the 
particular  monitoring  procedure  and,  the  pattern  invoking 


mechanism  which  was  employed  during  detection  of  failures  is  also 
used.  A MONITORING  DEMON  is  created.  The  pattern  contains  a 
time  variable  and  the  body  contains  the  monitoring  procedure 
along  with  information  to  restrict  the  times  when  it  can  be 
invoked  and  reinvoked.  When  a MONITORING  DEMON  has  served  its 
purpose  (either  a success  or  a failure  has  been  observed),  it  is 
removed  from  the  system. 

After  the  MONITORING  DEMON  has  been  created,  an  active  list 
is  updated  to  include  the  present  failure,  how  the  failure  is 
being  corrected  and  the  name  of  the  MONITORING  DEMON  which  is 
monitoring  the  correction. 

2 . 2 . ^ . 4 CADM  Generated  Procedures 

CADM  keeps  an  error  list  which  contains  all  of  the  recently 
detected  errors.  In  correcting  failures  CADM  eliminates  from 
this  list  those  errors  which  are  already  being  corrected.  The 
entries  are  reordered  so  that  the  highest  priority  error  will  be 
corrected  first.  CADM  maintains  a list  of  all  the  error  types 
that  it  recognizes,  along  with  their  relative  priorities.  This 
list  can  be  altered  by  the  program  whenever  new  information 
indicates  that  the  priorities  should  be  changed.  Whenever  CADM 
corrects  a failure,  the  first  entry  on  the  error  list  is  examined 
and  the  relevant  corrective  routines  are  invoked.  At  this  point, 
CADM  cannot  know  which  procedure  will  eventually  be  applied  to 
correct  the  failure.  It  is  aware  only  that  a class  of  correction 
procedures  exists.  These  procedures  are  collected  into  an 


outline,  called  a CPROG,  for  each  error  type.  This  outline  is 
used  to  determine  in  which  order  the  individual  procedures  are 
examined.  Each  step  in  the  outline  represents  a possible 
approach  to  correcting  the  problem.  CADM  searches  the 
possibilities  in  order  to  find  one  which  it  judges  to  be 
appropriate. 

A correction  procedure  is  generally  composed  of  three 
sections.  In  the  first  section  CADM  tests  to  see  whether  certain 
conditions  exist  among  the  various  valves  and  pumps,  for 
instance.  If  these  conditions  are  not  met,  the  procedure  is 
deemed  to  be  unsuitable  and  the  next  procedure  is  examined.  In 
the  second  section  CADM  determines  whether  it  is  free  to  alter 
the  desired  apparatus.  It  does  this  by  checking  for  jamming  of 
the  particular  apparatus,  conflicts  with  the  pilot,  and  internal 
CADM  conflicts.  In  the  third  section,  when  a procedure  is  found 
which  CADM  wishes  to  apply,  the  apparatus  in  question  are  reset. 
This  activity  has  been  monitored  by  a MONITORING  DEMON  which  was 
constructed  to  ensure  that  the  repair  has  progressed 
successfully. 

If  after  examining  all  the  possible  procedures,  a 
non-conflict  solution  is  not  found,  CADM  returns  to  those  in 
which  a conflict  was  found  and  tries  to  resolve  the  conflict. 


24 


t 


2 . 2 . 4 . 5 The  Pilot-CAPM  Interface 

There  were  two  considerations  for  the  establishment  of  the 
Pilot-CADM  interface.  These  were,  first,  the  choice  of  the 
displays  and  controls,  and  second,  the  task  allocation  and  the 
resolution  of  conflicts  between  the  pilot  and  CADM. 

2. 2. U, 5.1  The  Displays  and  Controls 

Hughes  Master  Monitor  Display  [1]  was  chosen  for  the 
displaying  of  failure  detection  information.  For  the  purpose  of 
CADM,  however,  several  extensions  were  made  to  the  MMD.  Since 
CADM  was  demonstrated  in  conjunction  with  a simulated  avionics 
system,  the  actual  dials,  gages,  knobs,  switches,  etc.,  are  not 
available  for  the  pilot  to  observe  and  set.  Thus,  MMD  was 
extended  to  include  a "sensor"  display  and  a "control"  display  as 
well  as  the  "failure  monitor"  display. 

2 . 2 . 4 . 5 . 2 CADM  Task  Allocation  and  Conflict  Resolution 

CADM's  overriding  concern  is  that  the  pilot  must  be  able  to 
maintain  full  control  over  the  airplane's  capabilities  in  order 
to  successfully  carry  out  the  mission  and,  therefore,  must  not 
undo  pilot  actions.  It  monitors  the  pilots  actions  through  the 
use  of  the  DEMON  system.  A record  is  maintained  of  what 
equipment  the  pilot  is  using  and  when  he  last  used  it.  With  the 
DEMONS  then,  CADM  can  determine  whether  the  pilot  is  using 
equipment  which  CADM  has  allocated  for  its  own  correction 


25 


procedures.  If  so,  CADM  can  suspend  the  violated  correction 
procedure^!!  and  try  to  construct  one  that  does  not  interfere  with 
the  pilot's  actions. 

2 . 3 Advanced  Features  of  CADM 

Upon  the  completion  of  the  second  phase  of  deveDopment  of 
CADM,  the  feasibility  of  a CADM  system  for  performin<?  simple 
tasks  was  demonstrated.  The  third  phase  of  CADM  development 
expanded  this  task  domain  to  include  multiple  failure  correction. 
In  addition,  CADM  itself  was  made  virtually  airplane  independent 
through  improvements  to  its  knowledge  structure  and  through  the 
implementation  of  routines  which  provide  a history  of  the 
correction  procedures  which  CADM  attempts  to  effect. 

2.3.1  Generalized  CADM  Correction  Procedures 


Because  a goal 

of  the  CADM 

project 

is  to 

investigate 

and 

develop  a 

computer 

system  which 

aids  a 

pilot 

in  carrying 

out 

missions , 

an  attempt  to  make  the  CADM 

system 

as  general 

as 

possible 

in  its 

applications 

to  different 

aircraft 

was 

undertaken.  This  means  that  the  techniques  used  should  not  be 
geared  to  correcting  a fixed  class  of  errors  on  a fixed  airplane 
type.  To  accomplish  this,  the  system  was  augmented  to  introduce 
generality  in  two  areas.  First,  the  airplane  model  is  treated  as 
factual  data  rather  than  being  explicitly  coded  into  the  program. 
Second,  the  correction  procedures  are  generalized  to  model 


26 


component  and  instrument  types  rather  than  a specific  switch  or 
dial,  with  programmed  knowledge  of  how  these  component  types 
operate  and  affect  the  operation  of  the  airplane. 


In  addition,  the  correction  procedures  were  generalized.  i 

This  was  effected  by  the  addition  of  two  functions  called  MAKE  1 

i 

and  IS,  The  potentially  relevant  action  procedures  are  generally 
associated  with  a component  class.  The  system  searches  through 
the  airplane  model  semantic  net  by  use  of  the  functions  MAKE  and 

' 

IS.  Basically,  MAKE  isolates  action  procedures  and  is  used  to 
construct  correction  procedures  while  IS  is  used  to  examine  the  j 

state  of  the  world  to  determine  whether  some  condition  is  true  or  s 

false  for  a group  of  components.  | 


Whenever  a MAKE  call  returns  (at  any  level),  several  types 
of  information  are  present: 


1.  A linear  program  segment  (possibly  NIL)  indicating 
what  steps  and  intermediate  sensory  checks  should 
be  made  in  order  to  bring  about  the  desired 
results . 

2.  A structure  called  HISTORY  summarizing  the  results 
of  the  construction  effort.  Also  included  in  the 
history  is  information  indicating  why  certain  steps 
are  in  the  plan  segment,  as  well  as  what  to  do  if  a 
continuation  of  the  search  is  necessary.  This  is 
used  during  error  recovery. 

3.  Optional  procedures  indicating  what  to  do  upon 
successful  completion  or  failure  of  the  procedure. 
This  may  indicate  such  things  as  inferences  which 
may  be  made  or  directions  which  should  be  pursued. 


27 


An  IS  call  simply  returns  a HISTORY,  oossibly  indicatinf' 
which  sensors  were  used  to  determine  values. 

2.3.2  Histories  and  Error  Recovery 

It  is  not  reasonable  for  the  system  to  assume  that  just 
because  a possible  correction  procedure  could  be  constructed, 
that  the  procedure  will  always  be  effective.  Therefore,  CADM  has 
methods  for  constructing  new  and  different  procedures  which  tal e 
into  account  all  new  information  as  well  as  the  knowledge  of 
previously  unsuccessful  correction  attempts.  The  structure 
called  HISTORY  performs  this  function. 

The  form  of  the  HISTORY  structure  has  four  elements.  The 
first  element  calls  on  MAKE  to  set  a component,  a component  class 
or  a sensor  type  to  a desired  state.  The  second  element  is  a 
list  of  lists  which  indicate  the  current  or  expected  state  of  the 
particular  equipment  beinp  considered.  The  third  element 
contains  a list  of  relevant  information  such  as  histories  or 
variables  to  be  saved.  The  total  information  necessary  to 
recreate  the  decision  nrocess  can  be  obtained  because  each 
HISTORY  can  include  an  arbitrary  number  of  histories.  The  final 
element  of  a HISTORY  is  a pointer  indicating  the  continuation 
point  of  an  ACTION  procedure. 


1 


2.3.3  Multiple  Failure  Handling 

Included  amonR  the  class  of  multiple  failures  are  those 
cases  in  which  failures  occur  simultaneously,  as  well  as  those  In 
which  failures  occur  while  CADM  is  monitoring  the  progress  of 
on-going  correction  procedures.  This  involves  CADM's  overseeing 
the  allocation  or  aircraft  components.  To  do  this,  a variable 
priority  structure  relating  the  importance  of  correcting  a class 
of  failures  to  the  mission  profile  and  available  equipment  was 
implemented.  While  a correction  is  being  made,  all  components 
which  are  to  be  used  are  allocated  by  the  system  to  the 
correction  procedure.  The  affected  equipment  is  said  to  be 
protected.  Pilot  usage  of  components  also  causes  protections  to 
be  instituted.  Before  any  equipment  is  to  be  used,  a check  is 
made  to  ensure  that  no  protection  violations  will  occur. 

Occasionally,  a correction  procedure*  for  a failure  will  be 
constructed  which  is  not  the  best  possible  (with  respect  to  the 
expected  speed  of  correction)  but  is  the  best  available.  This 
may  be  because  the  "better"  eauipment  has  heen  allocated  for 
other  purposes.  In  this  system,  the  correction  procedure  which 
was  determined  would  be  initiated,  but  if  the  "better"  equipment 
becomes  available  before  the  correction  has  been  completed,  the 
procedure  would  be  re-evaluated  to  determine  if  it  is  possible  to 
upgrade  into  one  i ncorpor ating  the  "better"  equipment. 


i 

! 


29 


SFCTION  III 

THE  SIGNIFICANCE  OF  CADM  - AN  OVERVIEW 


Research  is  ultimately  iudped  both  within  and  without  its 
specific  academic  and  theoretical  fields.  This  means  that  CADM 
will  be  judged  not  only  by  its  theoretical  richness  within  the 
field  of  artificial  intelligence,  but  within  more  global 
contexts.  In  the  USAF,  the  global  context  consists  of  the  set  of 
prevailing,  current,  and  anticipated  management  and  operational 
problems.  In  these  contexts  the  evaluative  criterion  for 
research  is  simply,  "Does  this  work  address,  offer  insight  into, 
or  solve  any  aspect  of  my  problems?" 

A prevailing  problem  in  the  USAF  has  been  the  increasing 
life-cycle  costs  of  avionics  systems  [12].  A major  portion  of 
these  spiraling  costs  has  been  attributed  to  the  avionics 
software.  A costly  deficiency  in  procured  by  the  USAF 

’ in  'the  past  has  been  the  software's  lack  of  flexibility. 
Typically  the  procurement  of  a new  avionics  system  required  the 
purchase  of  a unique,  ground  based  support  machine  and  the 
associated  software  for  maintaining,  translating  code  for,  and 
interfacing  with  the  on-board  machine.  The  USAF  operational 
environment  (aircraft  are  dispersed  over  the  world,  the  same 
avionics  system  is  used  in  different  types  of  aircraft,  one 
aircraft  may  have  several  different  avionics  systems)  has 
resulted  from  the  ourchase  of  many  "unique"  support  machines  and 
several  flavors  of  support  software  for  each  new  avicnics  system. 


30 


3 . 1 The  Generality  of  CADM 

The  research  accomplished  durinp  Phase  3 indicates  that  a 
portion  of  the  problem  of  inflexibility  need  not  be  a future 
concern  for  the  USAF.  The  CADM  we  have  implemented  is 
essentially  airplane  independent,  i.e.,  the  software  is  not 
written  for  any  one  specific  airplane  with  a specific  number  of 
valves,  pumps,  engines,  fuel  tanks,  electrical  generators,  etc. 
Once  the  host  aircraft  configuration  is  provided,  CADM  constructs 
a data  structure  representing  the  specific  aircraft  and  uses  this 
one-time  computed  structure  in  correcting  failures  and  error 
conditions  on  that  aircraft. 

The  CADM  design  philosophy  provides  flexibility  in  two 
dimensions:  across  types  of  airplanes,  since  the  CADM  correction 
procedures  would  work  as  well  on  a B-52  as  on  an  F-15;  and 
across  time,  since  CADM  can  generate  a new  representative  data 
structure  as  a result  of  modifications  to  existing  aircraft*. 
Within  these  hounds,  the  presently  implemented  CADM  is  fully 
sufficient  for  handling  any  fuel  and  electrical  power 
distribution  system.  This  means  that  no  additional  software  is 
required  regardless  of  how  such  systems  are  configured.  It  also 
means  that  no  conceptual  extension  is  required  (although  more 

*The  degree  to  which  this  is  possible  is  limited  only  by  the 
degree  to  which  CADM's  model  of  the  subsystem  components  (valves, 
pumps,  etc.)  is  consistent  with  the  actual  aircraft  components. 
The  present  CADM  implementation  models  such  components  in  a 
general,  but  somewhat  ideall7ed  manner. 


31 


r 


subsystem  specific  software  is  necessary)  to  provide  sufficiency 
for  handling  any  other  subsystem  which  can  be  modeled  as  a 
network  of  discrete  components. 


3.1.1  CADM  Knowledge  Structure 

Within  the  field  of  programmed  intelligence,  two  primary 
criteria  are  used  to  determine  how  intelligent  a particular 
program  is,  namely,  the  generality  and  the  adaptability  of  the 
particular  implementation.  The  previous  discussion  has  revealed 
CADM  to  be  highly  general,  using  no  specific  aircraft  dependent 
techniques.  This  high  degree  of  generality  is  derived  from  two 
properties  of  the  structure  of  CADM's  store  of  knowledge.  First, 
correction  procedures  are  associated  not  with  individual  aircraft 
components  but  with  classes  of  components,  and  second,  aircraft 
subsystem  error  conditions  are  defined  in  terms  of  aircraft 
system  parameters  rather  than  in  terms  of  component  states. 

CADM's  knowledge  is  stored  in  a procedural  net  [13]  which  is 
a hybrid  data  structure  resulting  from  the  merging  of  a technique 
for  producing  a semantic  net  [14]  and  a technique  for  the 
procedural  specification  of  knowledge  [15]. 


3.1.2  Hierarchies  of  System  Component  Classes 


In  CADM,  classes  of  aircraft  subsystem  components  and 


1 


components.  Procedures  (proRrams)  are  associated  with  the  most 
Reneral  nodes  in  a particular  hierarchy  (see  Figure  3).  This 
type  of  structure  is  suitable  for  modeling  classes  of  components 
in  the  most  general  way.  For  example,  the  concept  'VALVE*  is 
represented  as  being  an  entity  that  is  between  an  engine  and  a 
tank.  In  our  implementation  all  valves  are  electrically 
actuated.  Hence,  the  concept  'VALVE'  is  subordinate  to  the 
concept  'ELECTRICAL  INSTRUMENT'.  Electrical  instruments  have 
switches  to  control  them  and  circuit  breakers  to  connect  them  to 
their  source  of  power.  Since  the  concept  of  an  electrical 
instrument  is  very  general,  procedures  to  determine  whether  any 
electrical  instrument  is  on  or  off  (the  switch  must  be  on,  the 
circuit  breaker  closed,  and  the  nower  source  active  if  the 
instrument  is  to  be  on)  and  procedures  for  turning  any  electrical 
instrument  on  or  off  are  associated  with  the  concept  node 
•ELECTRICAL  INSTRUMENT*. 

The  advantage  in  this  method  is  that  a specific  valve  (e.g. 
VALVE37)  only  need  have  a oointer  to  the  concept  node  'VALVE*  to 
inherit  all  the  properties  of  valves.  If  more  valves  are  added 
to  an  existing  aircraft,  the  data  structure  representing  the 
aircraft  subsystem  does  not  have  to  be  completely  reconfigured. 
Rather,  one  additional  node  and  a pointer  from  that  node  to  the 
concept  node  'VALVE*  is  all  that  must  be  added  to  ensure  that  the 
added  valves  can  be  turned  on  and  off*.  There  is  no  need  for  a 

Additional  pointers  must  be  added  to  the  tanks  and/or  engines 
involved  to  ensure  that  the  valves'  functions  in  relation  to  the 
existing  components  are  understood  by  the  program. 


33 


((ON...) 

(OFF...)) 


PREDICATE 


IS -A 


EI£CrRICAL 

INSTRUMENT 

SWITCH 


( (ON. . . ) 
(OFF...)) 


-ACTION 


IS -A 


VALVE 

A 


IS- 


IS-A 


VALVE  1 VALVE  2 


Figure  3.  A hierarchy  of  procedures  involving  an 
electrical  instrument. 


34 


specific  procedure  for  controllinR  a specific  valve  (e.ff. 
VALVE37).  Of  course,  if  VALVE37  is  ar  unusual  or  special  valve 
requirinR  a specific  procedure  to  control  it,  that  procedure  can 
be  associated  directly  with  the  node  'VALVE37*,  thereby 
preventing  the  more  general  valve  control  procedures  from 
affecting  VALVE37. 

3.1.3  System  Parametric  Definitions  of  Failures 

Equally  Important  in  providing  CADM’s  generality  is  the 
definition  of  error  conditions  in  terms  of  system  parameters 
(engine  temperature,  fuel  flow,  etc.).  This  means  that  CADM  does 
not  have  to  continuously  monitor  the  status  of  every  individual 
component.  This  method  of  definition  eliminates  two  problems. 
First,  because  the  number  of  components  in  an  aircraft  is  very 
large,  continuously  monitoring  each  component  would  consume  much 
of  the  limited  on-board  comoutational  capacity.  Second,  since 
there  is  usually  considerable  redundancy  in  aircraft  systems, 
knowing  the  status  of  a particular  component  may  convey  little 
useful  information  by  itself.  An  error  condition  is  typically 
caused  by  improper  relationships  existing  between  several 
components  rather  than  by  the  state  of  any  one  particular 
component . 

Therefore,  error  conditions  are  defined  by  such  entities  as 
ENGINE  TEMP  LOW  and  INADEQUATE  FUEL  FLOW  rather  than  by  PUMP1  OFF 
or  VALVE3  ON.  This  means  that  the  correction  procedures  can  be 
highly  generalized  specifications,  as  for  Instance,  MAKE  TEMP 


M 


NORMAL  and  MAKE  FUEL  FLOW  POSITIVE,  where  TEMP  NORMAL  and  FUEL 
FLOW  POSITIVE  are  defined  conditions.  For  example,  FUEL  FLOW 
POSITIVE  requires  fuel  to  be  available  from  some  tank,  a valve 
between  the  tank  and  the  appropriate  engine  to  be  open,  and  one 
of  the  fuel  pumps  to  the  appropriate  engine  to  be  on. 


The  Adaptability  of  CAPM 


The  generalized  structure  of  knowledge  and  the  generalized 
definition  of  error  conditions  result  in  CADM's  being  a 
compensator  rather  than  a diagnostician. 


3.2.1  CAPM ' s Role  as  an  Operator 

Because  CAPM  is  motivated  to  keep  the  aircraft  flying  rather 
than  to  determine  exactly  what  caused  the  error  condition,  its 
performance  is  more  that  of  an  operator  than  of  a maintainer.  It 
is  cognizant  of  the  constraints  of  operating  in  real  time.  There 
are  three  distinct  reasons  for  this.  The  first  reason  is  that, 
in  an  operational  aircraft,  an  error  condition  is  a serious  thing 
that  needs  correcting  immediately.  The  first  priority  is  to 
restore  the  aircraft's  capability  and  the  second  priority  is  to 
identify  what  caused  the  problem  and  then  repair  it  if  possible. 

The  second  reason  is  that  CAPM  must  cooperate  with  other 
intelligent  entities.  One  of  these  entities  is  the  pilot.  If 
the  pilot  turns  a particular  valve,  CAPM  assumes  that  the  pilot 
has  a good  reason  for  doing  so,  even  if  closing  the  valve  causes 


36 


an  error  condition.  Consequently,  rather  than  competing  with  the 
pilot  and  opening  the  same  valve  that  the  pilot  Just  closed,  CADM 
must  compensate  by  finding  another  way  to  keep  the  aircraft 
flying,  thereby  preserving  the  pilot's  Independence.  A second 
Intelligent  entity  which  CADM  must  deal  with  is  CADM  itself. 
CADM  must  be  able  to  solve  many  problems  simultaneously,  i.e., 
multiple  error  conditions  may  occur  simultaneously,  may  be 
detected  simultaneously,  and  may  require  simultaneous  correction. 
To  accomplish  this,  CADM  creates  Independent  correction 
procedures,  one  for  each  error  condition,  and  lets  them  operate 
concurrently.  This  means  that  there  might  be  competition  between 
two  Independent  correction  procedures  for  the  same  component. 
The  losing  procedure  must  find  another  way  of  accomplishing  its 
goal  even  if  the  desired  component  is  not  available  for  use. 

Finally,  the  third  reason  is  that  in  our  implementation  the 
components  are  idealized  and,  with  few  exceptions  (circuit 
breakers  can  become  jammed  open  or  closed),  they  cannot  fail. 
Later  versions  of  CADM  will  include  non-idealized  components  and 
the  capability  to  diagnose  the  fundamental  cause  of  error 
conditions . 


3.2.2  Adaptability  Demonstrated  by  Program  Response 

Whereas  generality  is  that  property  of  a program  design  that 
ensures  broad  applicability  of  the  program,  adaptability  is  that 
property  of  a program  that  ensures  stability  of  the  program's 
performance  within  any  one  of  its  applications.  In  our 


implementation,  adaptability  is  demonstrated  by  the  response  of 
the  program  to  perturbations  in  the  composition  of  the  aircraft 
system,  to  the  pilot's  desires,  or  to  the  failure  of  one  of 
CADM's  generated  procedures  to  correct  an  error  condition. 

3 . 2 . 2 . 1 Responses  to  Failures 

Consider  the  case  when  an  aircraft  engine  is  turned  off  in 
flight  because  it  was  damaged.  An  intelligent  system  would  no 
longer  expect  FUEL  FLOW  POSITIVE  to  be  desirable  for  the 
non-functioning  engine.  CADM  recognizes  FUEL  FLOW  POSITIVE  into 
a damaged  or  destroyed  engine  as  an  error  condition  and  corrects 
it  in  the  same  manner  that  it  recognizes  FUEL  FLOW  ZERO  as  an 
error  condition  into  a healthy  engine. 

3 . 2 . 2 . 2 Responses  to  Pilot  Intervention 

In  response  to  the  pilot's  desires,  there  are  three 
available  modes  of  CADM  operation.  Normally,  CADM  will  be  in  a 
fully  operational  mode  where  it  is  detecting  and  correcting  all 
error  conditions.  If  for  some  reason  the  pilot  does  not  desire 
CADM's  assistance,  he  may  completely  disable  CADM.  In  this 
situation,  CADM  becomes  dormant,  its  second  mode  of  operation, 
and  is  sensitive  only  to  the  pilot's  call  to  return  to  duty. 


Finally,  CADM  may  be  placed  in  monitor  mode  where  it  detects 
error  conditions  and  advises  the  pilot  of  them,  but  does  nothing 
to  correct  them.  These  multiple  modes  have  research  as  well  as 


operational  implications.  Such  a capability  is  required  if  the 
performance  of  the  man-machine  combination  in  various  situations 
is  to  be  evaluated. 


3.2.2. 3 Responses  to  Correction  Procedure  Failures 

A final  example  of  CADM's  intelligence  and  adaptability  is 
its  ability  to  cope  with  failure.  If  in  the  process  of 
investigating  an  approach  to  correct  an  error  condition  CADM 
finds  a method  to  be  unfruitful,  it  provides  as  a continuation 
point  for  itself  a data  structure  called  a HISTORY.  Using  this 
HISTORY,  CADM  either  may  continue  by  investigating  other  methods 
within  the  same  approach,  or  if  the  approach  is  found  to  be 
unsuccessful,  it  may  try  other  alternate  approaches.  The 
important  point  is  that  CADM  does  not  have  to  start  all  over 
again  when  a method  or  approach  does  not  prove  successful.  It  is 
able  to  make  use  of  results  of  past  efforts  to  solve  the  problem. 
Only  after  all  approaches  have  proved  ineffective  does  CADM  pass 
the  error  condition  to  the  pilot  for  correction. 


1 


REFERENCES 


[1]  Master  Monitor  Dlspl ay  Study , Report  P73-464,  Huphes 
Aircraft  Company,  January 

[2]  Bauerschmidt , D.  K.,  "Techniques  for  Display/Control 
System  Integration  in  Supervisory  and  Monitoring  Systems", 
in  Proceedings  of  the  International  Symposium  on 
Monitoring  Behavior  and  Supervisory  Control , 
Berchtesgaden , TT  FT  Germany, 

[3]  Palmer,  E.,  Pilot 's  Manual  for  the  4p  Area  Navigation  and 

Autopilot  Systems  in  the  Flight  Management  Pro ject  Cockpit 
Simulator , NASA  Ames  "Wesearch  Center , FlASA"  Tm  100 , 

October  1975. 

[4]  Enstrom,  K.  D.,  Real  T Ime  Adaptive  Modeling  of  the  Human 
Controller  with  Application  to  Man-computer  Interaction , 
Coordinated  Science  Laboratory  Report  R-715 , University  of 
Illinois,  Urbana,  January  1976. 

[5]  Enstrom,  K,  D.  and  W.  B.  Rouse,  "Telling  a Computer 
How  a Human  Has  Allocated  His  Attention  Between  Control 
and  Monitoring  Tasks",  in  Proceedings  of  the  Twelfth 
Annual  Conference  on  Manual  Control , NASA, "Tin  print ) . 

[6]  Mendel,  J.  M.,  Discrete  Techniques  of  Parameter 

Estimation , Marcel  Dekker,  New  York,  1973. 

[7]  Morrison,  N.,  Introduction  to  Sequential  Smoothing  and 
Prediction , McGraw-Hill,  New  York”!  1969 . 

[8]  Tatsuoka,  M.  M.,  Multivariate  Analysis,  Wiley,  New  York, 

1971  . 


[9]  "Computer-Aided  Decision-Making  for  Flight  Operations 
Technical  Report  No.  1",  Report  T-21  , Coordinated  Science 
Laboratory,  University  of  Illinois,  Urbana,  Illinois, 
December  1973. 


[10]  "Computer-Aided  Decision-Making  for  Flight  Operations 

Technical  Report  Number  2",  Report  T-18,  Coordinated 
Science  Laboratory,  University  of  Illinois,  Urbana, 
Illinois,  June  1975. 

[11]  "Computer-Aided  Decision-Making  for  Flight  Operations 

Technical  Report  No.  3",  Coordinated  Science  Laboratory, 
University  of  Illinois,  Urbana,  Illinois,  (in  print). 


[12]  "Computer-Aided  Decision-Making  for  Flight  Operations 
Technical  Report  No.  4",  Coordinated  Science  Laboratory, 
University  of  Illinois,  Urbana,  Illinois,  (in  print). 


40 


[13] 

[14] 

[15] 

[16] 


'-'K" 


Trainor,  W.  L.,  "Software  for  Avionics — An  Overview", 
NAECON  '75i  Proceedings  of  the  National  Aerospace  and 
Electronics  Conference,  pp.  557  - 233.  lEfiE . New  YorFT 

wrr. 

Sacerdoti,  E.  D.,  "A  Structure  for  Plans  and  Behavior  at 
the  SRI  AI  Center",  Techncal  Note  109,  August  1975. 

Quillian,  M.  R ., "Semantic  Memory",  in  Semantic 
Information  Processing,  M.  Minskey  (ed.),  MIT  Press, 
Boston , T7F8 . 

Winograd,  T.,  "Five  Lectures  on  Artificial  Intelligence", 
Stanford  AI  Laboratory  Memo,  AIM  - 246,  September,  1974. 


n 


41 


L 


